susan k. berry - vita · 10/21/2016 · we are excitedto participate and grow our partnership for...

Verizon Enterprise Solutions 703 East Grace Street, 7th Floor Richmond, VA 23219 Phone: (804) 241-6546

October 21, 2016

Commonwealth of Virginia Virginia Information Technologies Agency 117511 Meadowville Lane Chester, VA 23836

Dear Greg Scearce:

On behalf of Verizon, we thank you for the opportunity to participate in the Commonwealth of Virginia’s Request for Information for Server, Data Center and Security Services. Verizon has had the privilege of providing Services to the Commonwealth for the past 22 years. We look forward to the opportunity to collaborate and provide trends of the rapidly evolving market from strategic partner perspective while balancing the advancing agency technology business needs.

Verizon truly understand the needs and concerns of the Commonwealth. As a partner for many years, Verizon has a unique perspective on existing services and procurement of those strategic services. We look forward to discussing industry best practices and how a fluid environment can be created for delivering solutions quickly and with flexibility to change as technology progresses and to customize solutions that fit each agency and their specific needs.

As the author of the Data Breach Investigation Report, Verizon continues to collaborate with dozens of industry leaders and to understand trends within the Security world and the direction those trends are going within State and Federal Government. We are uniquely positioned to evolve your existing Networks as well and offer a robust service delivery model that includes Governance, Operational Processes and Performance Management.

We are excited to participate and grow our partnership for many years to come and look forward to receiving your feedback on our proposal.

Thanks again for your time and consideration.

Respectfully,

Susan K. Berry For additional information or questions please contact: Susan Berry, Client Partner Verizon Enterprise Solutions 703 East Grace Street, Richmond VA 23219 (804) 241-6546 [email protected]

mailto:[email protected]

for

SERVER, DATA CENTER, AND SECURITY SERVICES

Request for Information 2017-14

October 21, 2016 Presented by: Susan Berry Client Partner 703 East Grace Street, 7th Floor Richmond, VA 23219 (804) 241-6546 [email protected]

A Proposal to

Commonwealth of Virginia


Commonwealth of Virginia Table of Contents

.

October 21, 2016 i

Table of Contents General Information.................................................................................................... 1

Executive Summary ................................................................................................... 2

Section 1. Introduction ................................................................................................ 5

Section 2. Submission Logistics and Contact Information .......................................... 8

Section 3. Overview of RFI Documents ...................................................................... 9

Section 4. Respondent Contact Information ............................................................. 10

Section 5. Questions ................................................................................................ 11

Section 6. Feedback Regarding RFI Documents ..................................................... 43

Appendix A. Sample Invoice(s) ................................................................................ 44

Commonwealth of Virginia General Information

.

October 21, 2016 1

General Information Nature of Proposal

Verizon Business Network Services Inc., on behalf of MCI Communications Services, Inc. d/b/a Verizon Business Services and its affiliates (Verizon’s) proposal is submitted in good faith with the intention of negotiating a legally binding definitive agreement following an award of business to Verizon.

Verizon does not consider the proposal itself to be a legally binding offer to contract.

In the event of an award to Verizon, Verizon will provide Customer with a written agreement that includes mutually agreeable terms and conditions.

Verizon expects that neither the RFP nor Verizon proposal will be incorporated in any definitive agreement, but such agreement will address the topics in this RFP and Verizon proposal and supersede both.

By submission of this response, Verizon makes no representation that it can or will provide any equipment, installation, maintenance, management or other services in every location.

Verizon’s ability to provide equipment and related services in certain locations is pending and contingent on Verizon’s development of product offers, including but not limited to service availability; negotiation of acceptable pricing and terms with Customer, subcontractors, affiliates and operating companies; development of operational and billing support; addressing tax and export/import concerns; obtaining required licenses and registrations to do business.

Verizon disclaims any and all liability for any damages whatsoever associated with Verizon inability to perform or provide any services proposed by Verizon in this RFP.

For services provided by a Verizon U.S. affiliate, such services will be provided by one or more of the entities in the U.S. Affiliate listed in the Guide. For services provided by a non-U.S. affiliate, such services will be provided by the Verizon Operating Company as indicated in the agreement.

“Guide” means the online Service Publication and Price Guide, which contains Service product descriptions, definitions, terms and conditions, and pricing, and is accessible on Verizon’s Internet website, accessible via the following link: http://www.verizonenterprise.com/us/publications/service_guide (or at such other URL as may be designated by Verizon from time to time).

Verizon reserves the right to modify the Guide from time to time, as specified in the Guide.

http://www.verizonenterprise.com/us/publications/service_guide

Commonwealth of Virginia Executive Summary

.

October 21, 2016 2

Executive Summary Verizon has been a longstanding partner with VITA for many years. As such, we have a comprehensive understanding of the challenges of delivering flexible and affordable solutions to each Agency and Department. Verizon understands how building a new model to deliver these services will be critical for VITA’s success in the future. Verizon's comprehensive Operational Transformation suite will enable the Commonwealth to simplify, consolidate, and standardize operations; lower costs; and deliver flexible IT services to the business without compromise - transforming IT operations from a cost-center to a business growth enabler.

Verizon’s primary objective in our response to VITA’s Request for Information (RFI) 2017-14 for Server, Data Center and Security Services is to provide insight on the increasingly complex service delivery landscape as it relates to Storage/Server Solutions and Security Solutions, as well as the criticality of delivering services over secure networks. Verizon’s responses are predicated on our vast knowledge of network evolution over the last few decades and the natural progression of layering Storage and Security Solutions onto a secure network. Verizon’s participation in standards bodies, government and industry think tanks, coupled with our unparalleled network and security experience (over 75% of the world’s data traffic moves across our backbone), provide a balanced view of how service delivery is changing for Local and State Government.

Verizon has become increasingly aware of the following key trends in the areas you have asked for:

Cloud Services: more is delivered through the cloud - but not everything!

Security Solutions: when threats are changing this fast, it can feel like you’re running just to stand still.

Multiple suppliers: supplier ecosystems are now vital, big and small have to work together for customers.

Cross-functional activities: silo’ d approaches are a thing of the past, the present and future involves multi-disciplinary teams.

Provisioning of additional services already used by the client (e.g., work requests, IMACs): Being local, agile and qualified is key.

Keeping pace with technological change in the marketplace: the pace of change has become impossible to keep up with - customers need to work with experienced partners to selectively address change and trends.

Implementing innovative services and models: multi-layered and hybrid approaches will be winning ones. No one size fits all even within the same customer.

As a global service provider it is necessary for Verizon to understand market trends and cutting edge technologies not only for our own needs but to best support our customers as they look to


.

October 21, 2016 3

expand and evolve their own business. In the face of new networking capabilities and advanced communications solutions, new business challenges are emerging for VITA and the Commonwealth of Virginia. To address some of the challenges that come along with service delivery and changing policies, Verizon has created our Premium Client Services Models to help with these critical business needs to include:

Address increasing security compliance requirements while maintaining decreased IT staff

Ensure existing business capabilities can keep pace with technology advancements

Maintain and supplement IT infrastructure to support changing market demands

Stay ahead of evolving and complex sourcing strategies

Align methodologies to manage solutions effectively and efficiently

Deliver complex transformation projects on time and within budget

As technology continues to evolve, proper care for and management of complex solutions becomes increasingly critical to VITA. Program Management can combat the complexity VITA encounters while focusing on driving business results. It is designed to help enhance networking and advanced communications solutions by leveraging:

Professionally-certified experts, seasoned in strategic service planning and delivery, and proficient in ITIL standards and focus

Leading lifecycle management, road mapping, governance, and process improvement expertise

Standards-based project management expertise and certified resources

End-to-end holistic and seamless solution support

In-depth knowledge of your technologies, their uses and contributions to your business objectives incorporated

Verizon has helped augment our customer’s core competencies, reduce the complexity associated with managing them, and ultimately offer a world-class technology environment that help deliver solutions. An effective business partner should allow you to offload your critical projects and complex tasks, such as managing your technology infrastructure and allow you to pursue goals that can empower your business by offering:

SOW-based Premium Client Services, as well as components of fully outsourced, transformational solutions

Flexibility; choose the support and resource model that fits your needs


.

October 21, 2016 4

Dedicated resources focused on driving tangible improvements to your network or communications services, based on support requirements

Cost-effective support, whether minimal management assistance or deeper services integration is required

Organizations like VITA are turning to Service Providers to solve an ever-increasing need to drive cost efficiencies, identify and execute growth strategies, and transform to a more competitive business model. We know there is no “one-size-fits-all” approach. However, the starting point of any transition requires a detailed understanding of your current model and identification of where you want to be tomorrow. We appreciate the opportunity to share some of our best business practices with you and look forward to further discovery and consultation.

Commonwealth of Virginia Section 1. Introduction

.

October 21, 2016 5

Section 1. Introduction The intent of this Request for Information (RFI) is solely to gather information; it is not a formal procurement. Responding to the RFI is not a pre-requisite to submitting a proposal for any subsequent procurement. Respondents should not provide any confidential or proprietary information.

Ownership of all data, materials, and documentation originated and prepared for VITA pursuant to the RFI shall rest exclusively with VITA. All information provided to VITA as part of this RFI will not be publicly disclosed, but shall be subject to public inspection in accordance with the §2.2-4342 of the Virginia Public Procurement Act and the Virginia Freedom of Information Act.

Verizon Response

Verizon has read and understands.

A. IT Infrastructure Services Program (ITISP) Overview

This procurement event is a component in VITA’s overall strategy to implement a new IT Infrastructure Services Program (ITISP). This program will position VITA to fulfill its vision to “deliver agile technology services at the speed of business” by better balancing the needs of the individual agencies and the enterprise in a multisupplier ecosystem. The ITISP is intended to accomplish the following:

• Maintain and improve service quality.

− Develop the capability to address evolving agency needs and create opportunities to improve service performance without degrading service reliability, security, and quality.

• Ensure cost competitiveness - both now and in the future.

− Structure service offerings so they can be more easily compared to market services at market rates; offer a menu of service options to customers.

• Create a platform view of service delivery that is highly visible and accountable.

− Provide for Enterprise and Agency visibility of consumption, cost, performance, and the responsiveness of suppliers. Establish a governance structure and forums to promote stakeholder engagement and improve the balance of agencies and enterprise needs.

Procurement of new services that will transition the Commonwealth from a single supplier model to an integrated multisupplier model is occurring over three waves. VITA has begun implementing Wave 1 of this transition by awarding a contract for Messaging services in July 2016 and a contract for IBM Mainframe services in September 2016. Wave 2 of this transition begins with this Request for Proposal (“RFP”) soliciting proposals for the services of a multisourcing service integrator (MSI). That procurement was released on September 29, 2016 under RFP# 2017-03. The Wave 2 procurements are also intended to include services for Server, Storage, Data Center LAN, Data Center Facilities, and Managed Security Services (abbreviated as “Server, DC, and Security”).


.

October 21, 2016 6

Respondents to this RFI are encouraged to review the publicly available RFP# 2017-03 documents for additional context. Note also that there will be a Pre-Proposal Web Conference for the MSI RFP, scheduled for Tuesday, October 4th at 2 pm. Information to register for the conference is indicated in the RFP Instructions for RFP# 2017-03.

Verizon Response


B. RFI Purpose

VITA has decided to accelerate its MSI implementation, such that the contract for RFP# 2017-03 is awarded while the other Wave 2 procurements are still underway. The initial focus on the MSI RFP allows additional time at the front-end of the timeline to gather further market research for Server, DC, and Security via this RFI. This RFI will allow VITA to improve the quality of the resultant RFP or RFPs to be released around the end of 2016.

Currently, VITA’s Wave 2 internal RFP teams are structured around two separate potential RFPs: 1.) Server, Storage and Data Center Services and 2.) Managed Security Services. However, VITA is interested in identifying the most efficient demarcation or bundling of these services between RFPs. For example, perhaps it would be more efficient to separate the Data Center facilities from the other Server services; or perhaps it would be better to include some or all of the Security services with the Server RFP. VITA anticipates resolving these decisions, and other questions as detailed in the Section 5 (Questions) below, in part by considering feedback obtained from marketplace participants via this RFI.

The Commonwealth has the following goals for the procurements:

Server, Storage, and Data Center Services • Assume all existing Services for Server, Storage, Data Center LAN, and Centralized Data

Center facility currently provided to the Commonwealth via the Comprehensive Infrastructure Agreement (CIA) with Northrop Grumman.

• Transition to the next generation of delivery for Server, Storage, and Data Center services to VITA and Customers, taking advantage of the ever-changing technology landscape while decreasing costs to VITA and Customers.

• Provide compute, storage, and Data Center LAN services that are flexible, rapidly provisioned, cost effective, transparent, and elastic to meet VITA and Customer needs while preserving enterprise requirements such as security and compliance management.

Managed Security Services • Replace the existing security services included within the Comprehensive Infrastructure

Agreement (CIA) with Northrop Grumman.

• Support VITA’s Commonwealth Security and Risk Management (CSRM) directorate by acting as its operational “hands and feet”:

− Advising on risks and standards development

− Assessing vulnerabilities and compliance (suppliers and agencies)

− Provide security monitoring and integration tools across the environment


.

October 21, 2016 7

− Respond to and address security risks and incidents

− Provide tools and technologies to protect the environment from compromise

− Provide security services that are adjustable to meet compliance needs of the Customer and adaptable to advancements in both security and technology industries

− Establish, implement and maintain a secure enterprise information technology environment ensuring the confidentiality, integrity and availability of critical Commonwealth information and systems

− Provide VITA and its Customers with access to their data and metadata, in real-time

Verizon Response


Commonwealth of Virginia Section 2. Submission Logistics and Contact Information

.

October 21, 2016 8

Section 2. Submission Logistics and Contact Information Issue Date: September 29, 2016

Due Date / Time: October 21, 2016 at 3:00 pm EST

Response Delivery Method: E-mail attachment or CD sent to Single Point of Contact. Note: e-mail must be received by the due date and time; CD must be post-marked by the due date, but can be received later. E-mail attachments must be limited to 10 MB.

Single Point of Contact (SPOC): Greg Scearce

Telephone: (804) 416-6166

E-mail Address: [email protected]

Mailing Address: 11751 Meadowville Lane, Chester, VA 23836

Pricing: No pricing information should be submitted

Document Format: Return this document, having populated Section 4 (Respondent Contact Information), Section 5 (Questions) below, and Section 6 (Feedback Regarding RFI Documents)

RFI Questions and Answers: Suppliers may submit questions regarding this RFI at any time via e-mail to the SPOC.

Verizon Response


Commonwealth of Virginia Section3. Overview of Rfi Documents

.

October 21, 2016 9

Section3. Overview of RFI Documents Within this RFI, VITA has chosen to release the following documents, which are drafts of some key documents anticipated for release in a final RFP or RFPs.

• Exhibit 2.1-a: Server, Storage, Data Center LAN Services

• Exhibit 2.1-b: Data Center Facilities Services

• Exhibit 2.1-c: Managed Security Services

• Exhibit 2.2: Cross-Functional Services

• Exhibit 3.1-a: Server, Storage, Data Center LAN, and Data Center Facilities SLA Matrix

• Exhibit 3.1-b: Managed Security SLA Matrix

• Exhibit 3.2-a: Server, Storage, Data Center LAN, and Data Center Facilities SLA Descriptions

• Exhibit 3.2-b: Managed Security SLA Descriptions

• Exhibit 4: Pricing and Financial Provisions

• Exhibit 4.1-a: Server, Storage, Data Center LAN, and Data Center Facilities Pricing and Volumes Matrix

• Exhibit 4.1-b: Managed Security Pricing and Volumes Matrix

• Exhibit 4.2-a: Server, Storage, Data Center LAN, and Data Center Facilities RU Definitions

• Exhibit 4.2-b: Managed Security RU Definitions

• Exhibit 4.4: Form of Invoice

Verizon Response


Commonwealth of Virginia Section 4. Respondent Contact Information

.

October 21, 2016 10

Section 4. Respondent Contact Information Please provide your contact information in the box below.

Contact Information Enter your response here, enlarging the box as needed

Company Name Verizon Enterprise Solutions

Company Mailing Address 4101 Cox Road, STE 200, Glen Allen, VA 23060

Company Website Address http://www.verizon.com

Name of Contact Person Susan Berry

Contact Person E-mail Address [email protected]

Contact Person Telephone # (804) 241-6546

http://www.verizon.com/


Commonwealth of Virginia Section 5. Questions

October 21, 2016 11

Section 5. Questions Please use the table to respond to the Commonwealth’s questions.

Ref# Category Question Supplier Response

A. Server/Storage Services

Q1. Server/Storage The Commonwealth has upwards of 10 non-centralized Data Centers in Agency-operated buildings, primarily in the metro Richmond area. What are examples of Suppliers’ best practices in managing the Servers, Storage, Firewalls, and Data Center LANs in non-centralized (Agency) facilities?

Verizon recommends that VITA look at a migration strategy to consolidate as many of the non-centralized Data Centers as possible into a hosted solution. For the infrastructure at the non-centralized data centers that cannot be migrated into a hosted solution, Verizon would recommend a service provider support this infrastructure in order to free up VITA support resources.

Q2. Server/Storage What does the Supplier recommend for the length of the contract for Server, Storage, and Data Center Services? Please describe benefits and trade-offs.

Verizon recommends a three year contract term. The main reason for this recommendation is to allow customers the ability to achieve the maximum discount structure, and to reduce non-reoccurring charges associated with shorter term contracts. This also allows customers to capitalize on technology evolution, and remain technically agile. In addition, contract terms of this length allow customers to transform and optimize their environments as technology changes, while avoiding vendor lock in.

Q3. Data Center What do you recommend for the length of the contract for the Data Center Facility for this type of environment?

Verizon recommends a three year contract term.


October 21, 2016 12


Q4. Server/Storage What does the Supplier recommend for technology refresh rate for the different types of Devices in VITA’s environment? Is there an impact on the length of the services contract?

Verizon recommends that VITA pursue an “as a service” type model. By leveraging this type of model VITA would be able to take advantage of advances in technology without having the upfront costs associated with technology refresh cycles. For those devices in VITA’s environment that cannot fit into an “as a service” model, Verizon recommends refresh cycles between 3 and 5 years.

Q5. Server/Storage The Commonwealth is interested in a separate hardware charge in the Server RUs to account for the initial capital outlay for physical servers. Is there a better way to represent the cost differences and hardware refresh cycle in the Server RU structure?

Verizon recommends that VITA pursue an “as a service” type model. In this model, RU charges can be easily reported and charged by individual server utilization metrics such as CPU, memory, and storage. This type of model will also speed time to market, and will not require large upfront capital spends.

Q6. Server/Storage

The Commonwealth is proposing tiering of services for Server and Storage in an attempt to align costs with availability and performance. Based on your experience, do these tiers of service have any challenges in developing a solution? Do you have experience with these service tiering model? Do you have any recommendations or enhancements for the Commonwealth to consider?

Verizon agrees with VITA’s approach of a tiered service delivery model. The main challenge associated with a tiered strategy is the classification of data and developing the timeline to which data is reclassified to another tier. Verizon recommends looking at holistic data classification exercise to help determine how and when the tiered model should be implemented.


October 21, 2016 13


Q7. Server/Storage

The Commonwealth currently spreads costs across a very simple RU model. Do you have an enhanced RU model that could offer a larger variety of services while minimizing the RUs and their complexity?

Verizon has the ability to offer a variety of costing models including usage based billing. This type of model could allow VITA to bill at a more granular level instead of simply at an RU level. Verizon’s capability to provide detailed usage and billing reports will help simplify the complexity of billing while allowing charges to be based solely upon usage.

Q8. Server/Storage

The Commonwealth is including Bronze thru Platinum service levels for Server as examples of service categories. What would be required to implement this model in the Commonwealth?

Verizon recommends that all service categories include a common baseline support level. In addition to the baseline support, Verizon recommends the ability of additional support service levels to be added in an “a la carte” model based upon performance and criticality of the service needed. In order to implement this type of model a baseline support level would have to be defined as well as the additional layered support services.

Q9. Server/Storage

Do you see a better way to bundle or spilt the services we are requesting, in order to more effectively integrate with other towers (including MSI), and obtain more flexibility in the Commonwealth’s IT environment while maintaining appropriate Governance and security?

It is Verizon’s recommendation that the services VITA is requesting be as bundled as possible. Servers, storage, firewalls, data centers, security, etc. all play a crucial role in the IT delivery model. By bundling as many of these services as possible VITA has the ability to streamline their time to market strategy while provided the uptime and security of the most mission-critical applications.

Q10. Server/Storage

Are their new Storage offerings, like Object Based Storage or predictive storage, that the Commonwealth should include in storage or enhanced services? How do you offer and charge for virtual storage?

Object Based storage lets customers securely store, access, and protect all their non-transactional data in the Cloud, making it readily available and accessible via the Internet in practically any location around the world with high availability and performance. Verizon


October 21, 2016 14


offers this service through a variety of ways including a customer portal and through Application Programming Interfaces (API’s). Verizon charges for Object Based Storage through a usage based billing model, on a per GB basis.

Q11. Server/Storage

The Commonwealth is interested in ensuring it provides optimal storage performance and availability for VITA and VITA’s Customers. How do you propose to provide and measure this performance?

Verizon recommends that this service be delivered from a Cloud platform with a highly redundant infrastructure and network in order to provide enterprise level performance. Through the use of standard monitoring toolkits VITA will have the ability to monitor every aspect of both the storage environment as well as the network.

Q12. Server/Storage

The Commonwealth has traditional x86 virtual servers, but it is also interested in the capabilities of a private cloud. Could they be combined or left separate? Please describe how this could be accomplished most effectively.

Verizon recommends exploring Cloud Service Providers (CSP’s) that offer flexible cloud deployment and compute options. Specifically CSP’s that allow customers to choose the deployment and compute mix that best suits their business and security needs, including public, virtual private, or private cloud delivered both off premise or on premise. Verizon also recommends the use of providers that offer hybrid cloud to extend inclusion of physical assets. Where customers can easily bridge existing private, public and hybrid clouds as well as traditional IT and colocation environments. All while maintaining strong security and application performance. Verizon also recommends providers that allow customers to deploy workloads over multiple facilities, and leverage storage resources for applications, backups, file sharing, and more.

Q13. Server/Storage How does Database as a Service make sense for an Enterprise like the Verizon feels that a Database as a Service model


October 21, 2016 15


Commonwealth? Do you have any recommendations for how to charge for enhanced Database services (i.e., Development DBA)?

would greatly benefit VITA from a predictable billing perspective as well as allowing VITA to charge on a per project basis.

Q14. Server/Storage

The Commonwealth wants to provide cost effective solutions to VITA and the Agencies. What do you describe as the key cost and value drivers that would help the Commonwealth offer services that are not cost prohibitive to deliver? Do you see any requirements in the description of services in this RFI that would cost more to meet than the business value they provide?

Verizon recommends the implementation of a cloud based delivery model. The type of delivery model is designed to evolve as customer applications mature. Customers can migrate existing, build new applications or add popular pre-integrated cloud applications in an on-demand model while only paying for the resources in use.

Q15. Security

The Commonwealth is interested in an Enterprise Key Management System for compliance and security. How do you propose the Commonwealth request Key Management services?

Verizon’s recommendation is to look at your risk coupled with compliance to include signature event correlation as a holistic view into your security posture.

Q16. MSI

Identity and Access Management (IAM) services and the systems supporting those functions are currently split between multiple providers. How do you propose bringing these services together to provide a single integrated service?

As part of establishing an Identity Management Program Plan for VITA using the existing Identity and Access Management Suite, Verizon will assist VITA in reviewing, designing, building, and implementing three major functional areas:

Identity Management: This function will be responsible for establishing and cancelling accounts, password management, providing a self-service functionality, and centrally enforcing identity policies and procedures. In this function, VITA strives to improve management and administration of all identities affiliated with VITA’s roles, group membership, and user data.

Access Management: This function will manage and streamline authentication, authorization, and identity


October 21, 2016 16


federation processes across the entire organization. An effective Access Management solution will reduce overhead and simplify the integration of new applications and services with these functions.

Audit, Reporting, Compliance and Governance: This function will streamline, automate, and simplify the reporting of identity data. Using systems provided, VITA is striving to reduce time and overhead in reporting and responding to audit requests and ensuring compliance with regulatory requirements.

1. Simplify the End User Experience

a. Map accounts and unify/reduce the number of different passwords a user maintains.

b. Provide centralized self-service password reset capabilities for all VITA users.

c. Enable Single Sign On for enterprise applications.

d. Expedite access management enablement process for the end user.

2. Establish an Audit and Compliance Ready Access Management Environment

a. Minimize administrator and infrastructure personnel overhead required to support the audit process.

b. Centrally generate Audit reports for users' Access across enterprise


October 21, 2016 17


applications.

c. Prevent excessive permission requests through enforcement of a centralized access request process.

3. Streamline User and Role Life Cycle Management Process

a. Streamline and automate establishment and cancellation of user accounts across enterprise applications.

b. Link the user's identity and access privileges across enterprise applications including PeopleSoft HCM and physical security badges.

c. Enable access requests, grant, approve, delegate, re-certify and/or terminate tasks through a centralized online portal.

The detailed task list is as follows:

Work Stream I - Provisioning and Identity Aggregation Ongoing Responsibilities (across all work streams)

Consult on Best Practices and Thought Leadership (IAM Expert recommendations);

Provide Customer Mentoring/Training;

Support Documentation development;

Provide Project Planning;

Provide Schedule and Financial Tracking;


October 21, 2016 18


Issue Escalation and Resolution Procedures;

Provide Communications Management Analysis/ Design

Finalize requirements

Provide gap analysis using case definitions;

Provide application, data store, OS inventory;

Create Detailed Design;

Create Test Plan.

Implementation

Install and configure secure, robust identity and access management platform;

Provide IAM Platform integration with systems such as PeopleSoft HCM, Physical Access Card, Active Directory (AD) and Single Sign On Directory;

Automate establishment and cancellation of accounts across PeopleSoft HCM, Physical Access Card, AD, Exchange, Single Sign On Directory and Maximo;

Configure Self Service functionality for Employees and Contractors;

Configure Password Reset .functionality for Help Desk personnel and IT

Administrators;

Configure email notifications such as password expirations.

QA


October 21, 2016 19


Provide Production Deployment in HA and DR Environment.

Work Stream II - Access Management and Strong/Multi-Factor Authentication Roadmap

Provide Single Sign Solutions for multiple applications such as PeopleSoft, SharePoint, IBM Maximo, Documentum and various .NET and Java based Agency applications;

Integrate with existing Identity Manager;

Integrate with VPN;

QA

Product Deployment in HA and DR Environment.

Work Stream III - Role Management, SoD and Recertification Provide Project Management;

Create Extended Design with HA and .DR capabilities.

Roadmap

Manage direct report access recertification/attestation processes;

Access cleanup notification workflows as a result of recertification processes;

Provide roadmap for Integrations;

Institute Role Mining and Integrations.

QA


October 21, 2016 20


Production Deployment in HA and DR Environment.

Work stream IV - System Administration Roadmap

Monitor IAM/SSO servers for performance and tune applications as needed based on results obtained.

Patch the IAM/SSO development, QA and production servers for monthly Windows updates, provide quarterly Oracle critical patch updates, and security updates for Windows, Java and Oracle components.

Monitor establishment and cancellation of user accounts using identity manager as well manual implementation on ad hoc basis.

Monitor the SSO proxy servers for high traffic and loads and take necessary steps to avoid any proxy server failures.

Perform quarterly comparisons of user's data and status in IAM with the user's data and status in system of records i.e. PeopleSoft HR and Prowatch and take corrective steps in IAM, if needed.

Provide on-call support in case of planned/un-planned system failures, system outages, data center outages and restore system functionality. Prepare incident response documents for each incident.

Regularly update and maintain the IAM/SSO system documents, code repositories and project


October 21, 2016 21


plans.

Report the IAM/SSO system status on a weekly and ad hoc basis.

Verizon has a very strong history in Identity and Access Management projects. Aside form a number of IAM managed services which are run in the cloud we have also executed larged managed and unm,anaged on-premise programs ($2m value and beyond) in the areas of Identity Consolidation/Aggregation and Identity and Access Governance. Our expertise in these technologies lies in the area of OpenIM, RSA, CA, IBM and Oracle. As the following sample project plan shows this is how we would tackle such a project.


October 21, 2016 22


Q17. MSI

The Commonwealth has defined the cross-functional requirements in Exhibit 2.2. Do you have any comments in the structure and handoffs identified in this document? Do you have any prior experience working with MSIs? Do you have any recommendations regarding the approach for how the MSI should interact with the other suppliers?

Cross-functional Activities Cross-functionality is now key in enterprise service delivery. It is clear from the trends we have observed that the following is taking place:

Silo’d operational models are no longer working

There is strong intersectionality between CRM and ERP systems and citizen-facing applications. We have noticed this in particular in Healthcare related agencies across the US - there is a large uptick in the number of agencies which are leveraging eConsent and other mechanisms in order to provide unified healthcare. This is reflected in a cross-functional need in the back-end where service delivery is affected by the need to be able to link the full operational lifecycle of a citizen’s record: from the contact center right through to troubleshooting, development and engineering.

The only models in which this works with complete success is through provisioning XXX-as-a-Service. These fully cloud-based approaches implement one of the biggest drivers for Cross-functionality, namely Data Management. A true XXX-as-Service model would include these elements


October 21, 2016 23


The majority of elements (the larger “burden of complexity”) is run by the supplier in each of these models and in the full Software-as-a-Service model the ownership of the cross-functional areas is maintained by the vendor entirely.

Q18. MSI

Do you see any benefits or challenges in requiring the Data Center facility provider to also be responsible for providing common operating monitoring groups in the same solution (e.g., CMOC, ITOC, SOC, NOC)?

Benefits Proximity to the environment leading to possibly

quicker resolution of issue

Shared staff across datacenter and operating/monitoring

Challenges Requires dedicated resourcing

May be more challenging to repurpose for different customers VITA may have in the future

Continuous integration and Continuous delivery and


October 21, 2016 24


deployment (if these are VITA objectives) would require:

1) Agency focus - aligning business and security strategies to ensure just right, just enough security that everyone in an organization can support and implement. Making it easier to understand the controls necessary to support business outcomes ultimately makes implementing security something anyone can do.

2) Scalability - security in support Continuous Integration; solving problems by reducing the amount of manual processes and time it takes to achieve a risk reduced outcome.

3) Producing Actionable Intelligence, having operating, monitoring and the facility all in close proximity to produce results which develop into immediate action. Objective criteria and actionable intelligence can become more powerful than policies because it can be tuned to the current maturity of controls within a business that also allows risk decisions to be better understood.

Continuous Detection & Response: allowing for real-time information used to identify events of interest and incidents that require response to be harnessed for decision making and forecasting of defensive controls required to support business outcomes.

Q19. MSI The Commonwealth currently has a single traditional DR solution that requires the entire backup Data Center to be failed over. There is a desire to move to a more flexible solution that allows single Agencies or even applications to be

Verizon recommends that VITA’s MSI play a role in the disaster recovery solution. The provider will


October 21, 2016 25


failed over individually. This process requires design, development, operations, testing, and coordination. What role should VITA’s MSI should play in this effort in relation with the Server Services provider?

require direct input from VITA’s MSI related to the discovery and planning phases. These two vital phases will not only guide the provider in determining the criticality of the applications, but also their dependencies. These components along with the expertise of VITA’s MSI team will allow for the successful deployment of a total disaster recovery solution.

Q20 Data Center

The Commonwealth is interested in Multi-site High Availability and Disaster Recovery Services. At a high-level, what do you recommend on the number and locations of centralized Data Centers the Commonwealth should utilize for that purpose? Any tradeoffs?

Verizon recommends at least two data center locations that are geographically diverse, as well a potential third location where workloads can be replicated and activated on-demand.

Q21 Migration

Suppliers will be required to provide an implantation plan to specify how they will take over responsibility for the existing environment. The Commonwealth is also interested in recommendations with regard to how the Commonwealth could migrate or transform to new Service offerings. What do you recommend for this migration plan?

Our strategy with regards to the implementation plan and migrating to take advantage of new service offerings is twofold. In the first instance we would follow:

1. Discovery

2. Assessment

3. Planning and Design

1. Discovery: Gain Understanding of Current Environment-

a. Physical inventory b. Server assets (Capacity Planner) c. Network (NetBrain) d. SAN e. Backups f. Applications g. Traffic Flow (ExtraHop) h. Business requirements


October 21, 2016 26


i. Logical groupings 2. Assessment: Understand Your Future

State- a. Level of service b. Transformation methodology c. Remediation d. VLAN reduction e. Network/Security layout f. System/application Upgrades g. Support infrastructure

3. Planning and Design: Create a Transformation Plan-

a. Create new infrastructure layout b. Document remediation, consolidation

and mitigation efforts c. Document transition and move dates d. Transform!

With regards to the adoption of new service offerings and taking advantage of a migration plan which includes that, the following considerations should be taken into account when looking at migration options. In our plan we :

1) Reinstalling applications a. Advantages:

i. Standardize Images / OS ii. Forces Upgrades iii. Strongest SLA iv. Least Downtime for cutover

b. Disadvantages: i. Not Practical for Whole

Environment ii. Data Replication

2) V-V, P-V or P-P


October 21, 2016 27


a. Advantages i. No Reinstall Required ii. Easiest Migration iii. Generally Least Risk iv. Can Use DR Tools for

Migration b. Disadvantages

i. Hybrid Cloud ii. Does Not Force Remediation iii. Standard Services

3) Forklift a. Advantages

i. Simple ii. Required for non-cloud

Applications iii. Appliances or systems too

large to virtualize b. Disadvantages

i. Hosting Only ii. Downtime During Migration iii. Potential Bandwidth Issue

4) Replace with Service a. Advantages

i. Cloud Solution ii. Best Overall iii. Sophisticated Services iv. Inherent SLA’s and

Governance v. Most Common Services

b. Disadvantages i. Limited to Common Apps of

Services 5) Decommission

a. Advantages i. Cloud Solution Replaces

Many Applications ii. 10-20% of Infrastructures for


October 21, 2016 28


Support iii. Additional 10%. Possible

b. Disadvantages i. Only Works for Support Apps ii. Requires Deep Investigation

Q22. Enhanced Services

The Commonwealth is interested in receiving proposals to include new enhanced services, (e.g., Cloud, Analytics, Managed File Transfer) Can you recommend any other such enhanced services the Commonwealth should also consider including at the moment? How would you recommend these services be delivered?

As more services transition to an “as a service” model, the breadth of enhanced services will continue to increase. Verizon recommends that VITA look more toward a utility model when exploring delivery models for enhanced services such as Software as a Service (SaaS) and Platform as a Service (PaaS).


As the technology landscape changes in the Commonwealth’s environment, could you describe other enhanced services that VITA and VITA Customers should consider in the future?

Verizon recommends that VITA consider the powerful role that the network will play as the landscape continues to evolve. Technologies such as Software Defined Networking (SDN) and Network Functions Virtualization (NFV) will allow VITA to improve flexibilities, efficiencies, and time to market.

The blistering pace of technology in the public sector has uncovered a number of technologies which are currently utilized in government, business and citizen-facing environments. It can be hard to grasp which of these enhance the customer experience and providing the maximum return on investment. Considering the VITA environment and VITA customers the following are areas which Verizon has identified as being key:

Internet of Things

The World of IoT is becoming increasngly complex and will feature heavily in VITA’s Customers businesses moving forward. Developers face multiple


October 21, 2016 29


obstacles to bring applications to life. Access to tools, the cost of connecting to the network, and what to do with all that data. The following areas are key to resolving these challenges and strong support for an IoT environment which can be flexible and universally leveraged by agencies. These areas are:

Professional Services for IoT

Analytics

Managed Services for IoT

Device services

Connectivity and

An API-driven developer platform which a allows developers to create applications, customers to manage devices, partners to market their services,


What would you propose as a good business case for virtualizing the desktop (offering VDI)?

By virtualizing the desktop Verizon expects VITA to see benefits such as uniform images, less expensive desktop upgrades, faster troubleshooting process, and potentially more secure data. With the benefits


October 21, 2016 30


mentioned above, a good business case can be created for migrating to a VDI environment.

Q25. Data Center LAN

What do you recommend as the best demarcation point between the Data Center LAN and the Network or WAN? The Commonwealth wants to make the cleanest scope separation for a future WAN Network RFP.

The recommended point of demarcation between the LAN and WAN is one that best provides the scope of services desired. In a traditional Data Center environment it is suggested that the point of demarcation be set to allow for ease of additional provider services, while maintaining a uniform WAN service offering. In many cases this would be terminating a managed services router from your network services provider. This will ensure a strong SLA from your provider and allows for additional services that are not able to be provided by the customer themselves. One such example of such a service is Denial of Service protection. These types of offerings can be provisioned within the service provider network on their end of the network connection. By maintaining such security and filtering feature on the provider end, the traffic is never placed on your network connectivity. This provides the greatest level of protection against such performance impacting attacks.

Going one step further would be the modern Cloud-based data center design. In this design the customer is only responsible for the data-accessing infrastructure rather than the data-providing infrastructure. This allows for a much more cohesive architecture where the provider is responsible for the overall infrastructure. The customer can specify their desired level of performance and uptime and separate the ongoing responsibility of maintaining the physical


October 21, 2016 31


infrastructure needed to support the infrastructure.

Verizon’s strategy takes this one step further by blending the actual WAN network architecture directly into the Cloud network architecture. Our various product offerings can seamlessly provide a wide range of connectivity directly to our Cloud platforms. In this manner your enterprise WAN integrates cohesively to your Data Center connectivity. While additional levels of service or redundancy could be layered on top of the infrastructure, the underlying product-set can be the same, simplifying your overall architecture.


In the current RFI, the Commonwealth has bundled Data Center LAN services (e.g., switching, routing, load balancing and firewall) with Server and Storage services. Do you find any challenges, issues, or concerns with this approach and why? Any recommendations?

Overall this is one valid approach to service segmentation when attempting to unify technology silos or to limit resource spread across multiple towers. It is cautioned that high performance LAN services can differ in scope and performance than server or storage farm services. One concern in this approach would be the utilization of generic tools instead of tools tailored to the desired functional scope. Load balancing is an ideal example of this as when approached from a traditional server or storage farm perspective, the functionality is relatively simple. With multiple data centers it is suggested to pull back and consider implementing this at the Cloud or Network service provider level. Traffic can be more intelligently assigned geographically, functionally, or based upon performance outside of the customer edge. From these perspectives the implementation becomes part of the underlying network service offering and decreases the load to the Data Center or


October 21, 2016 32


server farms connectivity and LAN infrastructure.


The Commonwealth did not bundle Data Center LAN services (e.g., switching, routing, load balancing and firewall) with the Data Center Facility services (e.g., HVAC, power, raised floor). Do you believe this is the correct approach? Do you have any recommendations?

Unless resource constraints drive the unification of these roles, this is the recommended approach. While facility infrastructure may bring some concerns, i.e.: power or head load within a section of the data center, it should only be viewed as a guiding or limiting factor. These factors should not be the deciding factor for service technologies. The implementation of switching, routing, load balancing, firewalls, etc. should be guided by the needs of the service itself. The proper design of high performance Data Center network infrastructure requires specific knowledge and skillsets.

Choices in the Data Center services should drive facility enhancements such as additional cooling or floor reinforcement wherever possible. The converse, however, should not be true. Facility limitations should not be the driving factor for technology decisions. The limitations of traditional data center facilities in this manner is one of the driving forces behind the move to Cloud based services. When faced with aging infrastructure, enterprises find themselves focused on facility liabilities and limitations. They have been forced into a situation where they find themselves choosing between technology initiatives due to the lack of space, power, and cooling in their facility. Cloud based offerings have allowed the enterprise to step outside of its physical limitations and once again focus on the true goal of meeting the needs of their technology customers.


October 21, 2016 33



The Commonwealth is considering decoupling the Data Center Facility services from the Server, Storage, and Data Center LAN services. What do you think of this approach? What do you think are the advantages, disadvantages and tradeoffs of splitting the facility services out versus coupling these services with Server, Storage, Data Center LAN?

As discussed in Question 27 above, we believe that facility services are a distinctly separate entity from server, storage, and LAN services, especially as it pertains to high capacity data center services. Decoupling these entities facilitates the Commonwealth’s ability to flexibly award various services to different vendors across a combination of facilities owned by the Commonwealth, owned by a provider, or in Cloud based environments. This enables the Commonwealth to focus on best in class solutions for its users rather than the underlying infrastructure these solutions run on top of.


Supplier is expected to provide centralized Data Center LAN services. Should LANs in non-centralized Data Centers be part of the scope for Data Center LAN services or bid as part of Network/WAN in a future procurement? What would be the pros/cons and tradeoffs?

The direction for this question would be dependent upon the methods and intent of the final RFP awards. If the Commonwealth desires a complete takeover of existing facilities and services then it would be critical that the care and maintenance of any non-centralized Data Center be considered as part of the award for any Data Center RFP.

Alternatively, if the intent is to allow these decentralized Data Centers to continue as unique entities outside of the Data Center award then it would be critical to ensure a path forward as part of any additional network services procurement.

A third option would be to consider a wide range of Cloud services models, which would encompass various sizes of Data Center and services platforms. This model could allow for a menu of services that would ensure scalability from small server deployments to large Data Centers. On demand


October 21, 2016 34


models would also allow for ramp up and ramp down of seasonal demand needs.


If the solution includes new Data Centers, who should provision and manage the network connections between the Data Center locations? Should it be the Network Provider, the Data Center Provider or the Server, Storage, Data Center LAN Provider?

Maintaining a cohesive network strategy is key to an effective, manageable network that can handle the needs of your users today and grow with your IT plan for the future. It is a given that a Data Center will have differing reliability and performance metrics than small remote site which may lead to picking and choosing from available providers on an opportunity by opportunity basis. Ultimately, this sort of patch work network pieced together from various providers leads to an infrastructure based on a range of differing capabilities, anticipated performance, varying reliability, and differing SLAs. In the end this sort of infrastructure requires more planning, management, resources, and is more costly to keep operating efficiently.

To avoid such a patch work infrastructure requires the development of a cohesive network strategy. By partnering with a provider who can offer a full range of services you can meet the IT needs of user groups ranging from small telecommuters up to large data centers. The VPN offering that handles a remote office will be very different from the high-speed, diverse, redundant gigabit offering for your data centers, however, it will ride a cohesive network.

Each of the towers will play an important role in the specification of your network connection needs. The Data Center provider may have requirements around bandwidth and latency, while the LAN provider may require specific interfaces or technology types. Once


October 21, 2016 35


these specifications are determined your network provider can develop an overall solution that integrates into your overall network architecture avoiding those one-off patch work solutions. In the end, this will ensure interoperability, leverage overall spend, remove complexity from the network, simplify ecosystem management, and ultimately lead to cost-saving efficiency.

Q31. Data Center

How does the Supplier propose to migrate Server, Storage, Data Center LAN services out of the CESC datacenter by June 2019 or earlier? Describe how the Supplier would seamlessly migrate out of CESC like-for-like, transform to new services, or a combination of the two? What are the recommended approaches?

Verizon recommends that the migration strategy not be limited to one solution. The migration strategy should be built around the goal of zero downtime through the use of migration tools and over-the-wire data transfers so services can be migrated from CESC to the new data center locations seamlessly. Verizon also recommends a detailed project be created to govern the migration.

Q32. Cloud Services

The Commonwealth is interested in a solution that integrates traditional hosting services with new private, community, and public cloud offerings. How do you propose integrating these services?

Verizon recommends that VITA explore Cloud Service Providers (CSP’s) that offer flexible cloud deployment and compute options. Specifically CSP’s that allow customers to choose the deployment and compute mix that best suits their business and security needs, including public, virtual private, or private cloud delivered both off premise or on premise. Verizon also recommends the use of providers that offer hybrid cloud to extend inclusion of physical assets. Where customers can easily bridge existing private, public and hybrid clouds as well as traditional IT and colocation environments. Verizon also recommends that VITA continue to include the network as part of the integration solution as it will play a vital role in the


October 21, 2016 36


integration of traditional services and hosting services.

Q33. Cloud Services What would be the best practice with regard to Suppliers owning the cloud contracts and potentially transferring that contract to the Commonwealth? Should the Commonwealth own that contract outright? Are there any other alternatives to be considered?

Verizon recommends the Commonwealth own the contract outright.

Q34. Cloud Services When the Commonwealth buys cloud services offerings how do you propose to identify where the data and services are located?

Verizon recommends that the data and service location be defined contractually.

B. Financial/Server Storage

Q35. Pricing Structure The Commonwealth is interested in creating the best possible pricing structure for the Services. In light of that fact, Supplier is invited to both comment on the structure described in Exhibit 4.1 and 4.2, and to propose an alternate pricing structure if they believe that it will better serve the interests of both parties. The Commonwealth will contemplate any proposed pricing structure along five dimensions: 1. Predictable: To the greatest extent possible, customers should be able to

forecast charges ahead of time; changes in pricing that occur over time should not be a surprise.

2. Manageable: The pricing should not be so complex that it is needlessly difficult to administer. If quantities of work or equipment in the environment must be measured, then those quantities should be as easy and transparent as possible to measure.

3. Fair: The service pricing must be a reasonable proxy for a services provider’s underlying costs and should adequately recover those costs. Additionally, to the extent possible, the party that causes any incremental cost should bear that cost.

4. Incentives: All pricing structures will incentivize certain behaviors and discourage others. The goals of the sourcing program must be kept in mind when considering the behaviors that might be driven by a pricing structure. For example, a goal to encourage server consolidation might include reduced cost at a centralized data center.

5. Flexible: As consumption moves up and down, the charges should also adjust. Technology is an evolving industry, and the ability to turn down an old service to turn up a new service is one of the benefits of an efficient IT sourcing agreement. Such adjustments may include minor volume changes month to month, significant scope additions, reductions, or terminations,

The pricing structure exhibits appear to very comprehensive, but could present an opportunity to add additional flexibility to them. For instance, the service levels of Platinum, Gold, Silver, and Bronze provide several varieties of support options, but do not appear as granular as they could be. By providing a common base level of support that all resources must contain, and then giving the option for additional service levels to be layered on top of the base level, increases the level of flexibility that could be achieved.

This type of model could increase the dimensions of manageable, fair, incentives, and flexible by providing the functionality to choose exactly what service levels are required on top of the base level support for a given service.

The one dimension that could be negatively impacted by this type of model would the predictability model. Because the additional services could be offered as an “a la carte” model, pricing could vary depending on the support level that is chosen for a particular service. It is Verizon’s opinion that the advantages of this type of model would far outweigh the


October 21, 2016 37


and ability of large service providers to re-deploy investments. disadvantages in flexibility and agility.

Q36. Inventory and Volume Collection

The Commonwealth is interested in introducing new Resource Units that do not exist in the current contract; in order to fairly compensate Supplier for service delivered, and support the other goals described in question 36, Supplier is asked to describe their experience and approach to collecting and verifying volumes both before and after contract signing, and the approaches they use to adjusting financials in the event that the initial count is incorrect. For example, today database support is provided by the Supplier, but is not separately billable. The Commonwealth sees an advantage to separating out database support and making it a separate chargeable unit, how would the service provider collect and verify the volumes to support this chargeable unit?

If there are specific “Invoice” requirements that are a “must have,” Verizon will work collectively with VITA to address them appropriately.

Q37. Asset Ownership

The Commonwealth consumes certain services today which are underpinned by a set of assets (servers, firewalls, etc.). The Commonwealth (or their designee) has the right to acquire these assets. The Commonwealth has a desire to consume services; rather than own assets, and envisions Supplier acquiring these assets and using them to provide services back to the commonwealth. Please describe experiences acquiring assets from an incumbent, and also describe your recommend financial treatment of their cost recovery for these assets.

Verizon offers Customer Premise Equipment (CPE) Solutions Financing Program Options for the Commonwealth. The following two plans include a buyback option depending on the condition of the existing CPE. Where available, the Commonwealth may obtain use of a System and/or CPE Service from Verizon or a Third Party Finance Company or directly through a third party of the Commonwealth’s choice. The two plans which fit the Commonwealth’s requirements in this regard are:

Monthly Recurring Plan.

With MRP, the Commonwealth will be provided with CPE Services as Monthly Recurring Plan. The Title to CPE will be held by Verizon or by a third party financing company, including a Verizon Affiliate

The Commonwealth may only use CPE on a Commonwealth location or co-located in Verizon’s facilities and is dedicated to use for the Commonwealth’s benefit only

All moves, modifications, or relocations of


October 21, 2016 38


CPE are be performed by Verizon

Direct Third Party Leasing/Financing Option.

Where available, the Commonwealth may obtain a System and/or CPE Service from Verizon through a direct financing arrangement with a third party financing company approved by Verizon.

C. Managed Security

Q38. Security

The Commonwealth’s Managed Security description of services includes all the required scope bundled for a single experienced Security Supplier. Do you see any challenges or issues with this bundled model?

Verizon does not see any issues or challenges. We currently support multiple diverse government architectures within our umbrella of services. Our ability to handle a bundled model enhances our visibility and response to malicious security incidents.

Q39. Security

Do have any concerns or recommendations regarding how to scale Managed Security Services to organizations of the size and complexity of the Commonwealth?

Verizon has extensive experience scaling Managed Security services to organizations with the size and complexity of the Commonwealth. Our best practice recommendation involves properly scoping the environment and mapping it to your desired security posture.

Q40. Security

Can you provide examples of comparable environments where you offer security services similar to those required by the Commonwealth?

Verizon currently manages and monitors the security and network environments for many federal, state and Commonwealth entities with multiple diverse agencies and departments. Their current security solution is comprised of multiple Verizon offerings to include Managed Security Services & Network Security Services.


October 21, 2016 39


Q41. Security Have you supported Managed Security services in distributed environments - both physical and virtual including on premise and off premise implementations?

Yes, Verizon has supported Managed Security services in a distributed environment both physical and virtual including on premise and off premise implementations.

Q42. Security Do you offer solutions supporting geographically diverse locations (e.g., remote location with satellite)?

Yes, Verizon security capabilities can support geographically diverse service locations.

Q43. Security

How have you implemented solutions similar to those in the Commonwealth making use of a centralized federated environment?

Yes, Verizon has implemented solutions across all government entities which create a centralized secure gateway to the internet to support multiple agencies and services in a centralized federated environment.

Q44. Security

What do you consider to the be the key challenges and tradeoffs for the implementation of Managed Security Services in an environment similar to the Commonwealth?

A challenge Verizon often encounters involves customers unilateral scoping the Managed Security services environment, which results in unclear expectations. In order to prevent this we utilize a pre-sales validation methodology with multiple customer and Verizon contributors providing input.

Q45. Security

What do propose at a high level to be the key strategies and implementation elements of any typical security services solution migration?

Verizon’s pre-sales validation methodology ensures that Verizon has the proper resources engaged from both the customer and Verizon. Verizon has a designated team which includes a dedicated Project Manager to ensure the successful deployment and ongoing operational management and oversight.

Q46. Security Can you recommend additional Managed Security Services that are not currently included or considered in the scope of described services?

Verizon recommends additional managed services such as DDoS Services, Governance, Risk and Compliance Program to be considered for the scope.


October 21, 2016 40


Q47. Security

Based in your experience, what are the key challenges with regard to the regulatory requirements included in the scope of services? Do you have any recommendations based on your experience?

The regulatory requirements are ever changing which present challenges for many customers. Verizon’s recommendations are both programmatic and point in time assessments to stay in front of the ever changing landscape.

Q48. Security Do you have any guidelines or best practices regarding whether the various Managed Security Services are better off being remotely hosted or on premise?

Verizon can conform to either scenario, however, Verizon recommends on premise as it is closer to the physical network.

Q49. Security Do you think you would be able to provide all the described Managed Security Services yourselves or will you require to subcontract any services to other third parties?

All Managed Security Services are provided only by Verizon badged employees within the United States.

Q50. Scope Demarcation

VITA is interested in identifying the most efficient demarcation or bundling of these services between RFPs. For example, perhaps it would be more efficient to separate the Data Center facilities from the other Server services; or perhaps it would be better to include some or all of the Security services with the Server RFP. Please provide any further experience or suggestions regarding scope demarcation between potential RFPs.

Verizon’s stance is that Security services play a vital role in all aspects of information technology. Whether it be physical security, logical security, or network security, all three components combine to provide the highest level of security possible. Verizon may recommend that VITA entertain the idea of combining Server services, Data Center facilities, and Security services while developing their RFP strategy.

D. Financial/Managed Security

Q51. Pricing Structure The Commonwealth is interested in creating the best possible pricing structure for the Services. In light of that fact, Supplier is invited to both comment on the structure described in Exhibit 4.1 and 4.2, and to propose an alternate pricing structure if they believe that it will better serve the interests of both parties. The Commonwealth will contemplate any proposed pricing structure along five dimensions: 1. Predictable: To the greatest extent possible, customers should be able to

forecast charges ahead of time; changes in pricing that occur over time should not be a surprise.

2. Manageable: The pricing should not be so complex that it is

Verizon’s recommendation to delineate each specific area i.e. Security, Network & Professional Services. Verizon recommends a tier price for Analytics and a per device price for Management. Verizon’s best practice recommendation involves properly scoping the environment and mapping it to your desired security posture to provide appropriate pricing.


October 21, 2016 41


needlessly difficult to administer. If quantities of work or equipment in the environment must be measured, then those quantities should be as easy and transparent as possible to measure.

3. Fair: The service pricing must be a reasonable proxy for a services provider’s underlying costs and should adequately recover those costs. Additionally, to the extent possible, the party that causes any incremental cost should bear that cost.

4. Incentives: All pricing structures will incentivize certain behaviors and discourage others. The goals of the sourcing program must be kept in mind when considering the behaviors that might be driven by a pricing structure. For example, a goal to encourage server consolidation might include reduced cost at a centralized data center.

5. Flexible: As consumption moves up and down, the charges should also adjust. Technology is an evolving industry, and the ability to turn down an old service to turn up a new service is one of the benefits of an efficient IT sourcing agreement. Such adjustments may include minor volume changes month to month, significant scope additions, reductions, or terminations, and ability of large service providers to re-deploy investments.

Q52. Inventory and Volume Collection

The Commonwealth is interested in introducing new Resource Units that do not exist in the current contract; in order to fairly compensate Supplier for service delivered, and support the other goals described in question 36, Supplier is asked to describe their experience and approach to collecting and verifying volumes both before and after contract signing, and the approaches they use to adjusting financials in the event that the initial count is incorrect. For example, today database support is provided by the Supplier, but is not separately billable. The Commonwealth sees an advantage to separating out database support and making it a separate chargeable unit, how would the service provider collect and verify the volumes to support this chargeable unit?

If there are specific “Invoice” requirements that are a “must have,” Verizon will work collectively with VITA to address them appropriately.


October 21, 2016 42


Q53. Asset Ownership

The Commonwealth consumes certain services today which are underpinned by a set of assets (servers, firewalls, etc.). The Commonwealth (or their designee) has the right to acquire these assets. The Commonwealth has a desire to consume services; rather than own assets, and envisions Supplier acquiring these assets and using them to provide services back to the commonwealth. Please describe experiences acquiring assets from an incumbent, and also describe your recommend financial treatment of their cost recovery for these assets.

Verizon offers Customer Premise Equipment (CPE) Solutions Financing Program Options for the Commonwealth. The following two plans include a buyback option depending on the condition of the existing CPE. Where available, the Commonwealth may obtain use of a System and/or CPE Service from Verizon or a Third Party Finance Company or directly through a third party of the Commonwealth’s choice. The two plans which fit the Commonwealth’s requirements in this regard are:

Monthly Recurring Plan.

With MRP, the Commonwealth will be provided with CPE Services as Monthly Recurring Plan. The Title to CPE will be held by Verizon or by a third party financing company, including a Verizon Affiliate

The Commonwealth may only use CPE on a Commonwealth location or co-located in Verizon’s facilities and is dedicated to use for the Commonwealth’s benefit only

All moves, modifications, or relocations of CPE are be performed by Verizon

Direct Third Party Leasing/Financing Option.

Where available, the Commonwealth may obtain a System and/or CPE Service from Verizon through a direct financing arrangement with a third party financing company approved by Verizon.

Commonwealth of Virginia Section 6. Feedback Regarding Rfi Documents

October 21, 2016 43

Section 6. Feedback Regarding RFI Documents Please use the table below to provide commentary regarding specific documents included within this RFI, adding rows as necessary.

Ref# Document/Section Supplier Commentary

C1. VITA-RFI 2017-04.4 Exh Form of Invoice.docx

If there are specific “Invoice” requirements that are a “must have,” Verizon will work collectively with VITA to address them appropriately. Please reference the Sample Invoice that Verizon has provided in Appendix A of this RFI.

C2.

C3.

C4.

C5.

Commonwealth of Virginia Appendix A. Sample Invoice(s)

October 21, 2016 44

Appendix A. Sample Invoice(s) Please refer to our attached icon(s) below, pertaining to Sample Invoice(s).

TFG Invoice Example.pdf